Canada joins global trend for tougher privacy rules

15 July 2019

Canada is set to introduce tougher data privacy rules, joining a growing list of countries giving new rights to consumers and holding companies to account.

In May, Canada’s federal government launched its Digital Charter; 10 broad principles intended to guide future legislative changes, including plans to modernise the country’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act.

These include principles on the security, transparency, and portability of data, as well as rights around the consent, access to and control of data. The principles also promise strong enforcement and accountability of data protection and privacy laws.

The government says Canadians want more transparency in how their data is collected and used. Research by the Department of Innovation, Science and Economic Development concluded that existing consent-based models are inadequate and that people want greater control over their personal data.

It also found that many Canadian companies, in particular small to medium enterprises, have difficulty understanding how best to comply with existing data and privacy legislation, and that changes to PIPEDA must consider emerging privacy norms internationally.

Canada joins global trend for tougher privacy rulesThe Canadian government is planning to compile a discussion paper to examine the proposed changes to PIPEDA, including issues surrounding consent, enforcement, transparency, and data mobility.

Canada has already taken steps to toughen its data protection laws. Last year, the government introduced mandatory breach reporting regulations, which require companies to inform Canadians if their private information has been lost or stolen, and if they have been placed at risk of harm.

They must report these breaches to the Office of the Privacy Commissioner of Canada – which recently received a commitment for additional funding – and maintain records of all data breaches for at least two years.

The government will now examine options to strengthen the enforcement powers of the commissioner, and increase collaboration with other key enforcement bodies on privacy, competition, and the broader data economy.

International Trend

Canada is not alone in modernising its privacy laws. Singapore recently announced plans to strengthen its breach notification and privacy laws, while California, Brazil, and Australia are all looking to mirror aspects of the EU General Data Protection Regulation (GDPR).

In May, Singapore’s Personal Data Protection Commission (PDPC) launched a number of initiatives, including a public consultation on the proposed data portability provisions, as part of a review of the country’s Personal Data Protection Act (PDPA).

The consultation is the third under the ongoing review of the PDPA and follows the publication of a data portability discussion paper launched in February 2019.

Singapore also proposes to amend their Guide to Managing Data Breaches, introducing more stringent thresholds and timescales for reporting a data breach. The changes would require organisations to complete an investigation into a suspected data security breach within 30 days and to notify the authorities of the incident within 72 hours of completing their assessment.

Australia recently announced changes to the country’s data protection laws, including increased enforcement powers for the country’s data protection and privacy regulator, the Office of the Australian Information Commissioner (OAIC).

The move, which follows the introduction of a mandatory breach notification regime in 2018, will mean higher penalties for companies that breach data protection laws, making it easier for the OAIC to pursue investigations and respond to breaches.

Elsewhere, Brazilian legislators approved the creation of the country’s first data protection authority (known as the ANPD) in June. The move follows the passing of the Brazilian General Data Protection Act (also known as LGPD) in August 2018, which will introduce tough privacy and data protection laws in August 2020. The new laws closely follow the GDPR.

Subscribe to our latest News & Insights Sign up to our latest  news & insights


The purpose of this legislative redirection is to increase the rights of consumers when it comes to data protection and privacy law. A number of countries are now introducing new rights around consent, data portability, and the subject's right to have their personal data deleted. At the same time, international regulatory co-operation on data and privacy is increasing.

Singapore says its latest proposals are intended to align the PDPA with a “global push towards data portability” with other jurisdictions that are implementing or planning to implement data portability in their respective data protection regimes. The PDPD said that alignment is needed to keep pace with progressive global developments and strengthen international recognition of Singapore’s data protection regime.

In May, Hong Kong and Singapore’s data protection authorities agreed to cooperate on personal data protection. Under the agreement, the two will share best practice guidelines and information on data breach investigations. Already the cooperation has resulted in a jointly developed guide for information and communications technology systems.

Privacy Insurance

Privacy risks are increasing and can be covered under a standalone cyber insurance policy. However, many cyber insurance policies are triggered by a data breach, not a breach of data protection or privacy laws.

Some fine tuning of triggers, therefore, may be required to ensure the consequences of increased privacy regulation are covered by insurance.



  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 8108 9541.

  • For more articles like this, download our Cyber Decoder

    Share this article